Uber confirms personal information of 57 million users and drivers was hacked
Hackers stole the personal information of 57 million Uber users and drivers last year, the taxi-hailing company's chief executive has revealed.
In a blog post, Dara Khosrowshahi, who took over in August, said he recently learned that two individuals outside the company "inappropriately accessed user data" in late 2016.
Stored in a third-party cloud-based service, Mr Khosrowshahi said the personal information of 57 million Uber users and drivers worldwide had been hacked.
This included names, email addresses and mobile phone numbers, as well as the names and number plates of some 600,000 drivers in the United States.
Mr Khosrowshahi said in the post: "At the time of the incident, we took immediate steps to secure the data and shut down further unauthorized access by the individuals.
"We subsequently identified the individuals and obtained assurances that the downloaded data had been destroyed."
Bloomberg, the first to report the story, said that Uber paid $100,000 to the hackers to delete the data and keep the breach under wraps.
Mr Khosrowshahi said there had been "no indication" trip history, credit card details, bank account numbers or dates of birth were downloaded by the hackers.
"While we have not seen evidence of fraud or misuse tied to the incident, we are monitoring the affected accounts and have flagged them for additional fraud protection," Mr Khosrowshahi said.
"None of this should have happened, and I will not make excuses for it.
"While I can't erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes."
Dermot Williams, Managing Director of Threatscape has said, "Uber has said the 600,000 affected drivers were all in the USA, but it seems the 57 million users whose information was stolen are located around the world.
"How many were in Ireland or the EU is not year clear – but were a breach like this to happen after May 2018 when GDPR is in force, the potential fines for a large breach of EU consumer data would be enormous and a 13-month delay in notifying the authorities would be unthinkable."
Responding to Uber CEO Dara Khosrowshahi’s blog post on the breach Mr Williams said: "Khosrowshahi is quick to point out that the incident ‘did not breach our corporate systems or infrastructure’ – but this is misleading as online companies rarely own the systems they use to store and process data, instead renting capacity from cloud providers such as Amazon, Microsoft and Google.
"A key aspect of the cloud era is that while a company like Uber may not be responsible for the operation of the third-party cloud services it uses, it is still very much accountable for the security of customer data stored there – including ensuring its personnel carefully guard the passwords for accessing that data. In this respect, Uber dropped the ball."
For Irish Uber customers Mr Williams advises: "Make sure you're not using the same password for Uber as you're using for other websites or online services, and if you are you need to change these as a matter of urgency.
"Also while Uber do not believe customer credit card information was stolen, it always prudent to monitor your statements for any unauthorised transactions."
